Geek Answers Handbook

ADFS Active Authentication.NET 4.5 (Post-WIF)

I have an ASP.NET web application (runs on .NET 4.5). Forms authentication is currently in progress. We created an ADFS 3 server with several federations, some internal, some external (client STS), and we would like to configure the web application to use an active authentication model. If I understand it correctly, this means that we will continue to use the login form in my web application and collect user credentials, and then send a security token request to our ADFS server. The token request should apparently tell ADFS which federation should send the request. If everything succeeds, I get a token from ADFS, check it and create a ClaimsPrinciple and from there.

Now, with this background, the problem I am facing is how to send a token request to ADFS in .NET 4.5. Every example that I saw, despite being marked as applicable to .NET 4.5, uses the old UserNameWSTrustBinding class from WIF. This is deprecated and not introduced in 4.5. The web search for "UserWSTrustBinding 4.5 Equivalent" has proven fruitless. I saw how one guy created his own class to duplicate functionality, but I cannot believe that this is necessary. I have a suspicion that there is a class here that I should use for binding in WSTrustChannelFactory, but I cannot find it. Or perhaps the entire WSTrustChannelFactory template is deprecated (but then why was it included in .NET 4.5)?

Can someone provide a piece of code or even shed light on how you should go through active authentication in .NET 4.5?

+6
source share
1 answer

So far, my best idea has been to check the username in the users cookie (if it exists) or from the usual login form when the cookie does not exist. Using this information, I can determine if it should be sent to IdP or not. In case you need to send it to IdP, I can simply create the request URL and redirect it.

WSFederationAuthenticationModule instance = FederatedAuthentication.WSFederationAuthenticationModule; SignInRequestMessage request = instance.CreateSignInRequest(Guid.NewGuid().ToString(), instance.Realm, true); request.AuthenticationType = "urn:federation:authentication:windows"; Response.Redirect(request.WriteQueryString());

Of course, I can configure this request with the corresponding .HomeRealm or .AuthenticationType value to skip the HRD process, and then after that they will be sent back to the application with authentication and with proper identification.

One of the reasons that this is not an ideal answer for me is that if the user has never registered before or turned off cookies, and depending on the federation, they have the opportunity to log in twice. That is, once in the application login form and once in the ADFS form. That's why I was hoping you could send the request programmatically in some way instead of redirecting. That way, I could presumably send the username and password that were already collected by the application, without having to collect them again in ADFS.

For this reason, I will not mark this as an answer. I would like to hold out better.

+1
source

More articles:


All Articles